For those of you who are using the TDS behind a reverse proxy with an Apache
HTTP server front end:
Begin forwarded message:
> From: Eric Covener <covener@xxxxxxxxxx>
> Date: May 6, 2026 at 7:34:19 AM MDT
> To: announce@xxxxxxxxxx, announce@xxxxxxxxxxxxxxxx
> Cc: announce@xxxxxxxxxxxxxxxx
> Subject: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp
> via ajp_msg_check_header()
> Reply-To: announce@xxxxxxxxxxxxxxxx
>
> Severity: low
>
> Affected versions:
>
> - Apache HTTP Server through 2.4.66
>
> Description:
>
> Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP
> Server.
> If mod_proxy_ajp connects to a malicious AJP server this AJP server can send
> a malicious AJP message back to mod_proxy_ajp and cause it to write 4
> attacker controlled bytes after the end of a heap based buffer.
>
> This issue affects Apache HTTP Server: through 2.4.66.
>
> Users are recommended to upgrade to version 2.4.67, which fixes the issue.
>
> Credit:
>
> Andrew Lacambra (finder)
> Elhanan Haenel (finder)
> Tianshuo Han (<hantianshuo233@xxxxxxxxx>) (finder)
> Tristan Madani (finder)
>
> References:
>
> https://httpd.apache.org/security/vulnerabilities_24.html
> https://httpd.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2026-28780
>
> Timeline:
>
> 2026-02-04: reported
> 2026-03-18: reported by 3rd finder
> 2026-02-28: reported by 2nd finder
>